The IDP sometime needs to send user attributes via SAML Attribute statements in the assertion, to a service provider. The IDP when running on JBoss AS can use the following:

1. Set the Attribute Manager on the IDP to be org.picketlink.identity.federation.bindings.jboss.attribute.JBossAppServerAttributeManager

2. <PicketLinkIDP  AttributeManager="org.picketlink.identity.federation.bindings.jboss.attribute.JBossAppServerAttributeManager"> 
   </PicketLinkIDP>
   
3. Configure the security domain of the IDP to also include mapping configuration for attributes.
4. Configure JBoss AS Attribute Mapping Provider that can interface with the ldap. This mapping provider should go in the security domain configuration.  Reference: http://community.jboss.org/wiki/MappingRolesInJBossApplicationServerV5x   (Remember, it is type=attribute   on the mapping provider)
5. The ldap mapping provider in JBAS is

org.jboss.security.mapping.providers.attribute.LdapAttributeMappingProvider

Code: http://anonsvn.jboss.org/repos/picketbox/trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/mapping/providers/attribute/LdapAttributeMappingProvider.java

If you want to get a glimpse into the mapping provider configuration, look in https://community.jboss.org/wiki/PicketLinkSTSLoginModules